CVE-2020-13756
published 2020-06-03CVE-2020-13756: Sabberworm PHP CSS Parser before 8.3.1 calls eval on uncontrolled data, possibly leading to remote code execution if the function allSelectors() or…
PriorityP184critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWVulnCheck KEV
Exploited in the wild
EPSS
55.08%
98.9th percentile
Sabberworm PHP CSS Parser before 8.3.1 calls eval on uncontrolled data, possibly leading to remote code execution if the function allSelectors() or getSelectorsBySpecificity() is called with input from an attacker.
Affected
15 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | php-horde-css-parser | < php-horde-css-parser 1.0.11-8+deb11u1 (bullseye) | php-horde-css-parser 1.0.11-8+deb11u1 (bullseye) |
| sabberworm | php-css-parser | >= 1.0.0 < 1.0.1 | 1.0.1 |
| sabberworm | php-css-parser | >= 2.0.0 < 2.0.1 | 2.0.1 |
| sabberworm | php-css-parser | >= 3.0.0 < 3.0.1 | 3.0.1 |
| sabberworm | php-css-parser | >= 4.0.0 < 4.0.1 | 4.0.1 |
| sabberworm | php-css-parser | >= 5.0.0 < 5.0.9 | 5.0.9 |
| sabberworm | php-css-parser | >= 5.1.0 < 5.1.3 | 5.1.3 |
| sabberworm | php-css-parser | >= 5.2.0 < 5.2.1 | 5.2.1 |
| sabberworm | php-css-parser | >= 6.0.0 < 6.0.2 | 6.0.2 |
| sabberworm | php-css-parser | >= 7.0.0 < 7.0.4 | 7.0.4 |
| sabberworm | php-css-parser | >= 8.0.0 < 8.0.1 | 8.0.1 |
| sabberworm | php-css-parser | >= 8.1.0 < 8.1.1 | 8.1.1 |
| sabberworm | php-css-parser | >= 8.2.0 < 8.2.1 | 8.2.1 |
| sabberworm | php-css-parser | >= 8.3.0 < 8.3.1 | 8.3.1 |
| sabberworm | php_css_parser | < 8.3.1 | 8.3.1 |
Detection & IOCsextracted from sources · hover to see the quote
- →Vulnerable code path: exploitation requires calling allSelectors() or getSelectorsBySpecificity() with attacker-controlled input, which triggers an unsafe eval() on uncontrolled CSS data ↗
- →The root cause is an eval() call on uncontrolled CSS parser input; monitor PHP process logs for unexpected eval() execution originating from CSS parsing code paths ↗
- →Patch reference commit for diff-based detection or file integrity monitoring: upstream fix at GitHub commit 2ebf59e8bfbf6cfc1653a5f0ed743b95062c62a4 ↗
- ·Vulnerability only triggers when attacker-controlled input is passed to allSelectors() or getSelectorsBySpecificity(); deployments that do not expose these functions to untrusted input are not directly exploitable ↗
- ·Affected versions are Sabberworm PHP CSS Parser before 8.3.1; Debian bullseye ships a patched version (1.0.11-8+deb11u1) while bookworm remains open as of source publication date ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vulncheck9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_ubuntu9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Horde Css Parser vulnerability
vendor_ubuntu·2025-05-07·CVSS 9.8
CVE-2020-13756 [CRITICAL] Horde Css Parser vulnerability
Title: Horde Css Parser vulnerability
Summary: Horde Css Parser could be made to crash or run programs as your login if
it opened a specially crafted file.
It was discovered that Horde Css Parser did not correctly handle
parsing uncontrolled CSS data. An attacker could possibly use
this issue to perform remote code execution. (CVE-2020-13756)
Instructions: In general, a standard system update will make all the necessary changes.
Debian
CVE-2020-13756: php-horde-css-parser - Sabberworm PHP CSS Parser before 8.3.1 calls eval on uncontrolled data, possibly...
vendor_debian·2020·CVSS 9.8
CVE-2020-13756 [CRITICAL] CVE-2020-13756: php-horde-css-parser - Sabberworm PHP CSS Parser before 8.3.1 calls eval on uncontrolled data, possibly...
Sabberworm PHP CSS Parser before 8.3.1 calls eval on uncontrolled data, possibly leading to remote code execution if the function allSelectors() or getSelectorsBySpecificity() is called with input from an attacker.
Scope: local
bookworm: open
bullseye: resolved (fixed in 1.0.11-8+deb11u1)
sid: resolved (fixed in 1.0.11-8.1)
OSV
php-horde-css-parser vulnerability
osv·2025-05-07·CVSS 9.8
CVE-2020-13756 [CRITICAL] php-horde-css-parser vulnerability
php-horde-css-parser vulnerability
It was discovered that Horde Css Parser did not correctly handle
parsing uncontrolled CSS data. An attacker could possibly use
this issue to perform remote code execution. (CVE-2020-13756)
OSV
Sabberworm PHP CSS Parser Code injection vulnerability in allSelectors()
osv·2022-03-26
CVE-2020-13756 [CRITICAL] Sabberworm PHP CSS Parser Code injection vulnerability in allSelectors()
Sabberworm PHP CSS Parser Code injection vulnerability in allSelectors()
Sabberworm PHP CSS Parser before 8.3.1 calls eval on uncontrolled data, possibly leading to remote code execution if the function allSelectors() or getSelectorsBySpecificity() is called with input from an attacker.
GHSA
Sabberworm PHP CSS Parser Code injection vulnerability in allSelectors()
ghsa·2022-03-26
CVE-2020-13756 [CRITICAL] CWE-20 Sabberworm PHP CSS Parser Code injection vulnerability in allSelectors()
Sabberworm PHP CSS Parser Code injection vulnerability in allSelectors()
Sabberworm PHP CSS Parser before 8.3.1 calls eval on uncontrolled data, possibly leading to remote code execution if the function allSelectors() or getSelectorsBySpecificity() is called with input from an attacker.
OSV
CVE-2020-13756: Sabberworm PHP CSS Parser before 8
osv·2020-06-03·CVSS 9.8
CVE-2020-13756 [CRITICAL] CVE-2020-13756: Sabberworm PHP CSS Parser before 8
Sabberworm PHP CSS Parser before 8.3.1 calls eval on uncontrolled data, possibly leading to remote code execution if the function allSelectors() or getSelectorsBySpecificity() is called with input from an attacker.
VulnCheck
sabberworm php_css_parser Improper Control of Generation of Code ('Code Injection')
vulncheck·2020·CVSS 9.8
CVE-2020-13756 [CRITICAL] sabberworm php_css_parser Improper Control of Generation of Code ('Code Injection')
sabberworm php_css_parser Improper Control of Generation of Code ('Code Injection')
Sabberworm PHP CSS Parser before 8.3.1 calls eval on uncontrolled data, possibly leading to remote code execution if the function allSelectors() or getSelectorsBySpecificity() is called with input from an attacker.
Affected: sabberworm php_css_parser
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://blog.checkpoint.com/security/december-2021s-most-wanted-malware-trickbot-emotet-and-the-log4j-plague/; https://blog.checkpoint.com/security/april-2022s-most-wanted-malware-a-shake-up-in-the-index-but-emotet-is-still-on-top/
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2020-13756 php-PHP-CSS-Parser: evaluation of uncontrolled data can result in remote code execution
bugzilla·2020-06-09·CVSS 9.8
CVE-2020-13756 [CRITICAL] CVE-2020-13756 php-PHP-CSS-Parser: evaluation of uncontrolled data can result in remote code execution
CVE-2020-13756 php-PHP-CSS-Parser: evaluation of uncontrolled data can result in remote code execution
Sabberworm PHP CSS Parser before 8.3.1 calls eval on uncontrolled data, possibly leading to remote code execution if the function allSelectors() or getSelectorsBySpecificity() is called with input from an attacker.
Reference:
http://seclists.org/fulldisclosure/2020/Jun/7
Upstream commit:
https://github.com/sabberworm/PHP-CSS-Parser/commit/2ebf59e8bfbf6cfc1653a5f0ed743b95062c62a4
Discussion:
Created php-PHP-CSS-Parser tracking bugs for this issue:
Affects: epel-all [bug 1845653]
Affects: fedora-all [bug 1845652]
---
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the d
Bugzilla
CVE-2020-13756 php-PHP-CSS-Parser: evaluation of uncontrolled data can result in remote code execution [epel-all]
bugzilla·2020-06-09·CVSS 9.8
CVE-2020-13756 [CRITICAL] CVE-2020-13756 php-PHP-CSS-Parser: evaluation of uncontrolled data can result in remote code execution [epel-all]
CVE-2020-13756 php-PHP-CSS-Parser: evaluation of uncontrolled data can result in remote code execution [epel-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue a
Bugzilla
CVE-2020-13756 php-PHP-CSS-Parser: evaluation of uncontrolled data can result in remote code execution [fedora-all]
bugzilla·2020-06-09·CVSS 9.8
CVE-2020-13756 [CRITICAL] CVE-2020-13756 php-PHP-CSS-Parser: evaluation of uncontrolled data can result in remote code execution [fedora-all]
CVE-2020-13756 php-PHP-CSS-Parser: evaluation of uncontrolled data can result in remote code execution [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this iss
http://packetstormsecurity.com/files/157923/Sabberworm-PHP-CSS-Code-Injection.htmlhttp://seclists.org/fulldisclosure/2020/Jun/7https://github.com/sabberworm/PHP-CSS-Parser/commit/2ebf59e8bfbf6cfc1653a5f0ed743b95062c62a4https://github.com/sabberworm/PHP-CSS-Parser/releases/tag/8.3.1http://packetstormsecurity.com/files/157923/Sabberworm-PHP-CSS-Code-Injection.htmlhttp://seclists.org/fulldisclosure/2020/Jun/7https://github.com/sabberworm/PHP-CSS-Parser/commit/2ebf59e8bfbf6cfc1653a5f0ed743b95062c62a4https://github.com/sabberworm/PHP-CSS-Parser/releases/tag/8.3.1https://lists.debian.org/debian-lts-announce/2025/10/msg00013.html
2020-06-03
Published
Exploited in the wild